From a74c10edaf5c5ab7a59b9b9a021949158196633c Mon Sep 17 00:00:00 2001 From: Kevin McCarthy Date: Tue, 20 Aug 2019 15:17:31 -0700 Subject: [PATCH] Update autocrypt keyring documentation Recommend setting $autocrypt_dir to your normal keyring directory if you want to use your existing key. Trying to copy it over leads to signature verification issues. Even if I reversed the order (which is much less clean), that would just lead to missing key signature errors for Autocrypt messages instead. Co-authored-by: Richard Russon --- doc/manual.xml.head | 43 ++++++++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 19 deletions(-) diff --git a/doc/manual.xml.head b/doc/manual.xml.head index fdf8a84d9..036c8d35d 100644 --- a/doc/manual.xml.head +++ b/doc/manual.xml.head @@ -17654,21 +17654,21 @@ bind index D purge-message Still, some users may want to use an existing key from their normal keyring for Autocrypt too. There are two ways this can - be accomplished: by copying the key over to the Autocrypt - keyring, or by pointing $autocrypt_dir at your normal - keyring directory (e.g. ~/.gnupg). The first - can be done using gpg from the command line, along the lines of - gpg --export [keyid] | gpg --homedir=~/.mutt/autocrypt - --import followed by gpg --export-secret-keys - [keyid] | gpg --homedir=~/.mutt/autocrypt --import. - Once this is done, choosing (s)elect existing GPG - key during account creation will list and allow - selecting that key for the account. - - - Copying your key over has the advantage of keeping Autocrypt keys - out of your normal keyring, but there is a downside. Mutt + be accomplished. The recommended way is to + set $autocrypt_dir to your + normal keyring directory (e.g. ~/.gnupg). + Alternatively you can copy the key over to the Autocrypt keyring + (using something along the lines of gpg --export + [keyid] | gpg --homedir=~/.mutt/autocrypt --import + followed by gpg --export-secret-keys [keyid] | gpg + --homedir=~/.mutt/autocrypt --import). During account + creation, choosing (s)elect existing GPG key will + then list and allow selecting your existing key for the new + account. + + + Copying your key over keeps Autocrypt keys out of your normal + keyring, but there is a severe downside. NeoMutt first tries to decrypt messages using the Autocrypt keyring, and if that fails tries the normal keyring second. This means all encrypted emails to that key will be @@ -17677,10 +17677,15 @@ bind index D purge-message keyring will no longer show up in signatures when decrypting. - Pointing $autocrypt_dir to - ~/.gnupg allows Autocrypt header keys to be - imported there, but also allows web of trust to show - an appropriate signature message for verified messages. + For that reason, if you want to use an existing key from your + normal keyring, it is recommended to just set $autocrypt_dir to + ~/.gnupg. This allows web of + trust to show an appropriate signature message for + verified messages. Autocrypt header keys will be imported into + your keyring, but if you don't want them mixed you should + strongly consider using a separate autocrypt key and keyring + instead. Both methods have a couple additional caveats: -- 2.50.0